The LiteLLM Supply-Chain Attack That Exposed Mercor

SAN FRANCISCO — A late-March supply-chain attack that inserted malicious builds into the widely used LiteLLM package has left Mercor — a $10 billion AI staffing and data-labeling platform — defending multiple class-action suits and navigating a business freeze that reverberated across major AI labs this April. Investigations and court filings now provide a clearer, consolidated timeline tying the incident to a narrow window of attacker activity and a broader failure across the open-source and compliance ecosystem.

How the Attack Worked

The attack began when the threat group tracked as TeamPCP exploited a GitHub Actions workflow vulnerability in Trivy, the open-source container scanner used by many CI/CD pipelines. That compromise allowed the attackers to harvest publishing credentials from LiteLLM's CI runner and push two malicious PyPI releases — LiteLLM 1.82.7 and 1.82.8 — on March 24.

The malicious packages were available on PyPI for only minutes to a few hours. Mercor's automated dependency pipeline pulled the compromised builds during that brief window, installing a payload that extracted SSH keys, cloud credentials, and Kubernetes secrets.

What Was Exposed

Within days of the initial compromise, the extortion group Lapsus$ claimed to have obtained approximately 4 terabytes of Mercor data. Court filings and reporting indicate the stolen cache included:

Plaintiffs are pursuing claims ranging from negligence and invasion of privacy to violations of state AI-video laws.

Business Fallout

Business fallout was swift. Major customers including Meta paused work with Mercor in early April while legal and forensic teams probed the scope of exposure. Other AI labs reportedly reviewed or halted pipelines that ingested Mercor-sourced training material.

The pause's rationale extended beyond exposed contractor IDs: investigators and corporate sources warned that the breach may have leaked labeling protocols, interview-scoring rules, and other proprietary training processes that sit inside Mercor's data flows — meaning the exposure could affect the AI labs themselves, not just the contractors.

The Compliance Gap

The incident also exposed gaps in the startup compliance market. Mercor had relied on security attestations from Delve Technologies. Whistleblower allegations and reporting claim those audits were largely automated and superficial, prompting questions about the reliability of compliance badges for suppliers that feed frontier AI models.

Delve has faced separate scrutiny and personnel changes in the weeks since the breach — raising broader questions about whether the compliance-attestation ecosystem is adequate for the level of trust placed in AI training vendors.

Technical Forensics

Security experts describe this as a classic supply-chain escalation pattern:

• Unpinned or permissive CI dependencies (Trivy actions)
• Token theft from a downstream open-source project (LiteLLM)
• Short-lived malicious PyPI releases
• Automated dependency updates on downstream consumers, including Mercor

Experts note that the brevity of the exposure window — minutes to a few hours — made detection difficult but did not limit the attack's impact. Many organizations default to "latest" dependency pulls in CI and production pipelines, meaning a brief malicious window is sufficient to compromise downstream systems at scale.

What It Means Now

Mercor's Position

Mercor has acknowledged being "impacted" by the LiteLLM compromise and says it is working with third-party forensics firms. The company disputes speculative claims in lawsuits and has not confirmed the full scope of exfiltration. For its part, LiteLLM's maintainers and other open-source projects involved have issued mitigations, rotated compromised tokens, and revised CI policies to reduce similar risks going forward.

Wider Implications

Security analysts warn this episode is a template for future attacks: adversaries will increasingly weaponize brief supply-chain windows to reach high-value downstream targets. The commercial ecosystem's reliance on automated compliance seals and large third-party open-source components creates systemic fragility for the AI training supply chain.

Policymakers and corporate buyers now face pressure to require stronger provenance, attestations, and independent audits for suppliers that process sensitive human data used to train foundation models. Whether the lawsuits, audits, and technical fixes produce durable change — or merely temporary hardening — will be a key watchpoint for the AI industry through mid-2026.

What Affected Workers Should Do